This selection initiates RSA key generation at the workstation.
The generated RSA key is protected with a previously generated DES
IMP-PKA or AES IMPORTER key, and the encrypted RSA key is saved in
a file.
Notes: - RSA keys can also be generated and saved in the host PKDS using
ICSF panels and services (CSNDPKG for generate, and CSNDKRC or CSNDKRW
to write to the host PKDS.) For more information, see z/OS Cryptographic Services ICSF Application Programmer's Guide.
- An RSA key with a length of 1024 or less can be wrapped with a
DES IMP-PKA or AES IMPORTER key.
- An RSA key with a length greater than 1024 must be wrapped with
an AES IMPORTER key.
From the Domain Keys page, right-click RSA key in
the Key Types container and select Generate.
The Generate RSA Key window opens.
Figure 1. Generate RSA Key
In the
Generate RSA key window, specify the
following information:
- RSA key usage control
- Specifies whether or not the RSA key can be used for key management
purposes (encryption of DES keys). All RSA keys can be used for signature
generation and verification.
- Key length
- Length of the modulus of the RSA key in bits. For RSA keys
protected by a DES EXPORTER key, any length between 512 and 1024 is
allowed. For RSA keys protected by an AES EXPORTER key, any length
between 512 and 1024, and lengths of 2048 and 4096 are allowed. When
a length of 2048 or 4096 is selected, the AES EXPORTER key should
be at least 24 bytes long. If not, a message is displayed.
- Public exponent
- Value of the public exponent of the RSA key.
- PKDS key label
- Label to be given the imported RSA key at the host. The information
provided in this field can be changed when you load the RSA key to
the host.
- Private key name
- Text string that is included in the RSA key token and cryptographically
related to the key. The private key name can be used for access control
for the key. The information you entered in the PKDS key label field
is copied to this field and can be edited.
- Description
- Optional free text that is saved with the RSA key and displayed
when you retrieve the key.
- Workstation DES EXPORTER keys
- This container displays the labels of the DES EXPORTER keys currently
in TKE workstation DES key storage that can be used to protect RSA
keys generated at the TKE workstation. When these keys were loaded
into TKE DES key storage, key usage of "for RSA key generation" was
specified. To select one of these keys, click Workstation
DES EXPORTER keys and select a key label.
- Workstation AES EXPORTER keys
- This container displays the labels of the AES EXPORTER keys currently
in TKE workstation AES key storage that can be used to protect RSA
keys generated at the TKE workstation. Only keys with set attributes
including "Key can be used for IMPORT", "Key can be used for
GENERATE-PUB", and "Key can wrap RSA keys" are listed. To
select one of these keys, click Workstation AES EXPORTER
keys and select a key label.
- Host CKDS key label
- The CKDS key label at the host used to import the RSA key. The
selected workstation DES EXPORTER or AES EXPORTER key label is copied
to this field and can be edited. This information can be changed when
you load the RSA key to the host.
When the key is generated, a window opens that prompts the
user to specify the file location (USB flash memory drive or TKE Data
Directory) and file name for saving the generated RSA key.
Attention : Do not remove a USB flash
memory drive from the USB port before you complete the operation that
is using the drive, or before you respond to a message related to
the operation that is using the drive. If you do remove a drive before
the operation is complete, hardware messages might be generated on
the TKE workstation.